1999-05-19-17:36:50 Carric Dooley:
> That is a religious argument my friend. Personally I would say an
> application proxy is more secure, but harder to manage and slower. I bet
> this will spark off some sort of debate however.
How can I pass up a teaser like that?!?
I don't like the phrase "more secure"; I don't think it's useful. Rather, I
would agree with what I think you meant, which is that the tools you can
implement using proxies allow you to enforce stricter security policies while
still allowing some useful functionalit; packet filters are cruder, with less
of that cool grey area between letting marauders in to sack the joint, and
letting users get their work done.
Harder to manage I just do not see. I've set up and administered proxy based
firewalls, packet filters, and hybrids, and all of 'em without exception are
pretty cryptic when you first hit 'em; once you have your security stance laid
out in a well-commented spec file that implements it in whatever local tool,
it gets simple and clear. I don't think either of packet filters or proxies
are intrinsically easier or harder to manage than the other.
There's something to the speed criticism; with equal CPU horsepower and
comparable attention to performance in coding, your packet filter may be able
to support a bit higher bandwidth, and should have distinctly quicker latency.
But if a reasonable-power machine has no trouble being sufficiently fast with
proxies, then that issue can be ignored, and in my experience a moderate
Pentium system, slow by today's standards, introduces no delays that bother
users when doing strictest proxy firewalling of a T1. Now there's a place
where we need to be grateful to Microsoft: their software continues to stay
too big and slow for any available hardware, so keeps the market impetus to
speed up hardware. Any software that's better written enjoys a really nice
side-effect benefit.
-Bennett
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
